Inside The Ukrainian 'Hacktivist' Network Cyberbattling The Kremlin

A video published on YouTube, showing a masked Ukrainian "hacktivist", announces the operation by Ukrainian hacking groups Falcons Flame and Trinity in May against the websites of the Russia-backed separatist group Donetsk People’s Republic.

KYIV -- Dressed in a black sweater and equally nondescript turtleneck, with wisps of raven hair corkscrewing from under a black baseball cap, the lanky Ukrainian introduces himself in accented English as "Sean."

Sean Townsend is his chosen pseudonym on Facebook, complemented by images of the notorious Guy Fawkes mask of hacker group Anonymous and the Ukrainian coat of arms. Before Sean, he was "Ross Hatefield," until the world's leading social network banned that account for impersonation.

In hacker circles, he is better known as RUH8 -- pronounced "roo-hate" to express his aversion to all things Russian.

RUH8 agreed to speak with RFE/RL on condition that we avoid publishing his real name, which he only uses with friends unaware of what he does outside his day job as a Kyiv-based security researcher.

He provided details of the cyberwar that has been raging -- parallel to the shooting war between Ukraine and Russia-backed separatists in eastern Ukraine over the past 30 months -- between the respective sides' patriotic hackers using digital subterfuge.

RUH8 is part of a Ukrainian "hacktivist" collective that includes four hacker groups: CyberHunta, Falcons Flame, Trinity, and RUH8. When working together, they call themselves the Ukrainian Cyber Alliance. Their declared enemy is the Kremlin, and their avowed mission is to expose its meddling in Ukraine and ultimately to destroy Russian President Vladimir Putin's regime.

They regard a hacker group called CyberBerkut -- which international cybersecurity experts have blamed for digital attacks on Ukrainian ministries and its presidential election in 2014 -- as their Russian counterpart. They also believe CyberBerkut is an alias for Fancy Bear, a hacker group with suspected ties to the Russian state that is thought to have worked with another Russian group, Cozy Bear, to disrupt the upcoming U.S. presidential election.

'Swarm Of Bees'

A native of eastern Ukraine -- where separatists still control swaths of territory -- RUH8 says he delights in exacting digital revenge on those who have destabilized his country. A self-taught hacker with 20 years of contract work in security research for national and international companies, RUH8 insists he began hacking only after the start of the conflict.

"In the beginning, we didn't understand well how Russia was [fomenting] the war. It is a hybrid war," he says, using a term coined by Western analysts to describe the mix of cyber-, economic, media, psychological, and military operations Russia is thought to be employing to further its aims in Ukraine. "It was very tangled and we just didn't know who we were fighting with, so we started to collect [publicly available] information online."

Gleaned from social-media accounts and public videos, the resulting material was gathered and analyzed by groups of independent Ukrainian activists that formed alongside the hackers.

One such group is InformNapalm, an international volunteer community that emerged in March 2014 against the backdrop of Russia's invasion of Crimea. Its enigmatic founder is a Sevastopol-born Crimean known by the pseudonym Roman Burko, whose Facebook avatar is a digital fingerprint scan. For him, Russia's forcible annexation of the peninsula is personal.

Burko told RFE/RL that like the Cyber Alliance, InformNapalm and its ilk were made up of volunteers. They don't always collaborate, but they have coordinated their activities on larger projects to ensure maximum impact.

"We are like a swarm of bees," Burko said.

The Ukrainian side's latest salvo came on October 25, when the Cyber Alliance leaked more than a gigabyte of e-mails and documents purportedly extracted from the inbox of one of Putin's top aides, Vladislav Surkov.

The trove included texts that point to close cooperation between the Kremlin and pro-Russian separatists in eastern Ukraine, where Russian officials have consistently denied military involvement despite considerable evidence to the contrary. Some of the most incriminating documents suggest detailed information-sharing on casualty figures and financing, Surkov's hand in choosing separatist commanders, and a plan for "destabilization of the situation in Ukraine" between November 2016 and March 2017.

E-mails said to be from Vladislav Surkov's account appear to reveal in unprecedented detail plans for seizing Crimea from Ukraine and fomenting separatist unrest in the eastern Donetsk and Luhansk regions.

There have been other recent successes for the pro-Kyiv hacktivists, too.

The Cyber Alliance and InformNapalm collaborated to leak the mobile-phone data of a Russian national named Arseny Pavlov shortly after his death in an elevator bombing in eastern Ukraine in October. Better known by the nom de guerre Motorola, Pavlov commanded separatist fighters in Donetsk and had boasted of killing captive Ukrainian troops. The hackers alleged the leaked phone data showed, among other things, that Motorola had feared assassination by Russian security services.

In May, Falcons Flame and Trinity hacked and defaced nine websites associated with the separatist group that calls itself the Donetsk People's Republic and what the hackers said were private Russian military companies operating in Ukraine and Syria that were associated with Russia's Federal Security Service (FSB).

RUH8 also claims to have hacked the Russian State Duma's official website not once but twice in 2014, posting pro-Ukrainian messages such as "Glory to Ukraine!" across the homepage.

"We hacked it once -- they said it was then secured and the hackers would be found and punished," RUH8 says. "They started criminal investigations -- and then we hacked it a second time, to prove that they were ineffective."

Going 'Hybrid'

RUH8 says the Cyber Alliance includes between 10 and 15 hackers from across Ukraine with different backgrounds and specialties. The group works purely on a volunteer basis, he says, and coordinates via encrypted chat that is deleted after each conversation.

He insists there is no financial support from Ukraine's government but that from time to time they get messages from private supporters offering donations of around $50-$100 to their cause. Recently, RUH8 adds, money from such a donation went toward the purchase of an eight-terabyte external drive to store hacked data.

Sometimes they get hacking help from their Russian friends, he says. "There are people there who are so angry at their own government that they are risking spy charges and passing information to us," RUH8 explains. He declines to say whether any Russian citizens are in the Cyber Alliance.

RUH8 says the Cyber Alliance uses "all tools and methods" at its disposal to hack into their perceived foes' accounts. In particular, he says, spear-phishing -- using messages that mimic those of legitimate companies along with a request and link to change personal security information -- "is quite efficient."

"People readily give up their passwords and personal info," he says. "They receive something in their [e-]mail like, 'Your account will be suspended if you don't confirm [your security details].' They click that link and we have them."

RUH8 says such spear-phishing has proved particularly effective on pro-Russian separatist leaders, hinting at the possible method behind a hack that appeared to backfire in May for the Ukrainians. Western governments and rights groups widely condemned a Ukrainian nationalist website's actions after it obtained data that the Cyber Alliance had hacked from Donetsk separatists. The result was the posting of personal data on more than 5,000 local and foreign reporters or fixers who had applied with the separatists for press accreditation -- and in some cases allowed separatists to authorize their articles before publication. The Myrotvorets, or Peacemaker, website described them as "terrorist collaborators."

RUH8 credits "mostly CyberHunta" with the Surkov e-mail theft and says it was not the result of a spear-phishing scam but rather what he describes cryptically as "special software." He claims the malware allowed CyberHunta not only to retrieve Surkov's e-mail but to "take the entire [Russian] presidential administration system under their control, and they gathered information right from the computers."

Andrei Soldatov, one of Russia's most prominent cybersecurity experts and co-author of The Red Web, a history of the Russian Internet, calls it unsurprising that hackers could get into Kremlin computers. He cites an aversion among Russian government employees to the requirement to use exclusively devices and programs provided by Russia's Federal Protection Service (FSO).

"In practical terms, lots of people do not follow these rules, and they use lots of devices, only some of them provided by [the] FSO," Soldatov tells RFE/RL. The FSO is often slow to approve new devices for official use, he adds, and many Russians prefer the latest models of smartphones and laptop computers.

The Surkov Theft

Dubbed by some the Kremlin's "gray cardinal," Surkov is widely regarded as a chief architect of Putin's governing system and is the Russian president's point man on Ukraine as well as Moldova and Georgia, both of which suffer from frozen conflicts complicated by the presence of Russian troops.

The United States and European Union have each targeted Surkov with sanctions for his alleged role in events in Ukraine.

The 2,337 e-mails and hundreds of attachments at the center of the Surkov leak are dated between September 2013 and December 2014. Sent and received from the account prm_surkova@gov.ru, they appear to reveal in unprecedented detail plans for seizing Crimea from Ukraine and fomenting separatist unrest in the eastern Donetsk and Luhansk regions that erupted into full-blown -- but undeclared -- war that has killed nearly 10,000 people in eastern Ukraine since April 2014.

It is unclear whether Surkov personally saw or had access to the inbox at the center of the recent Cyber Alliance leak, which appears to have been handled by two aides identified as Maria and Yevgenia. (Reached by RFE/RL's Russian Service, both declined to comment.)

The Kremlin has not explicitly called the documents fakes, but presidential spokesman Dmitry Peskov did say of one unspecified text that Surkov "doesn't use electronic mail...so someone must have sweated quite a bit to compose this document."

Analyst Aric Toler of the British-based, open-source investigative group Bellingcat and the Atlantic Council's Digital Forensic Lab concluded on October 25 that their metadata appeared authentic.

Ukrainian officials have exercised caution in their public treatment of the data dump. Oleksandr Tkachuk, chief of staff for the Ukrainian Security Service (SBU), told RFE/RL in late October that the agency managed "to authenticate a number of documents in the release." But he acknowledged that "there is not enough evidence to believe the entire [collection] of documents found in Surkov's e-mails is actually original or authentic."

One of the biggest potential bombshells connected with the Surkov leak is a PDF file -- not included in the batch of documents released publicly -- that outlines "urgent measures for the destabilization of the situation in Ukraine." Ostensibly sent to Surkov's office by Pavel Karpov, a reputed Russian handler for separatists in Luhansk also known as Nikolai Pavlov, it calls for infiltrating the Ukrainian parliament and civil-society groups and providing anticorruption activists with genuine evidence of criminal misconduct by Ukrainian President Petro Poroshenko and his allies. The suggested timeline is November 2016 to March 2017.

The absence of the "destabilization" document among those in the public dump has contributed to questions about its authenticity.

Toler expressed doubts to RFE/RL about its legitimacy.

Tkachuk acknowledged the document looked "strange" but said preliminary analysis suggested the plot was real. He said documents found by the SBU during a 2014 search and seizure of property belonging to an organizer of a separatist movement in Zakarpattya, in western Ukraine, revealed specific details also included in the "destabilization" PDF file.

"We can see that some parts of this plan actually are already being executed in Ukraine," Tkachuk said. "For example, the attempts to infiltrate our patriotic movements and volunteer battalions, to infiltrate pro-Ukrainian forces. In our other investigations regarding Russian intelligence activity on Ukrainian soil, we see some parts of this plan being executed currently."

Since its initial public data dump, the Cyber Alliance has handed over to the SBU many of the Surkov e-mails -- including some from 2015 and 2016 that have so far not been made public.

Several people with e-mails in the Surkov leak have confirmed their messages posted by the Ukrainian hackers were indeed ones they had exchanged with the Putin aide.

Leaked letters also suggest Surkov and another powerful Moscow figure handpicked leaders of the Russia-backed separatists fighting in eastern Ukraine. Denis Pushilin, chairman of the Donetsk People's Republic group, appears to have sent Surkov an e-mail in June 2014 that listed casualties when fighting flared up around Donetsk's international airport in the preceding weeks. Later in the month, Pushilin seemingly provided Surkov with a spreadsheet listing startup costs for a "Ministry of Information" and a propaganda center in Donetsk.

Whose Victories?

Ukrainian intelligence officials have gone on the record to deny having ties to the budding army of hacktivists, but RUH8 laughs out loud when asked about such public statements.

The Cyber Alliance, he insists, gets limited support from Ukraine's intelligence community.

Asked about RUH8's claim, the SBU's Tkachuk told RFE/RL that "to the best of my knowledge, we do not maintain contact with hacking groups because hacking is illegal."

He added, "As an official organization, we are not allowed to talk with people who use illegal methods, even if these methods are used for good."

"We talk privately with operatives in the security services," RUH8 says. "Sometimes they ask, 'Do you know this guy?' or, 'Can you tell us something about' some topic?"

He notes that hacking can be less an inexact science than an art -- or even simply "a matter of luck."

The timing of the Surkov e-mail leak has also led to speculation that the United States might have played a part.

A White House spokesman said on October 11 that the United States would carry out a "proportional" response to alleged hacking by Russia of U.S. election-related institutions and other computer systems. Vice President Joe Biden then said a "message will be sent" by U.S. officials "at the time of our choosing."

But NBC News quoted a senior U.S. intelligence official as saying Washington "had no role" in the Surkov hack.

Confronted directly, RUH8 insists U.S. hackers were not involved in the Surkov leak. "It was a purely native Ukrainian hack," he says, grinning. Then he adds, "If American guys -- who are known to be very clever -- pass some information to us, we will be glad to use it."

More Leaks To Come

RUH8 says he and his colleagues have enjoyed operating with seeming impunity and with at least tacit support from Ukraine's government and its intelligence community.

"To be a hacker, to be semi-openly hacking without any worries of being tracked down and arrested,... it's fun," he tells RFE/RL. "It is illegal, but we don't worry much about possible prosecution."

With Crimea in Russian hands and swaths of Donetsk and Luhansk controlled by pro-Moscow separatists, average Ukrainians are unlikely to be losing much sleep over the hackers' methods either.

"They are heroes, of course," Tetyana Popova, a former deputy information minister, tells RFE/RL. "It's worrying to some extent, but what Russia and Surkov are doing to Ukraine is also illegal."

She describes the hacktivists who are targeting Russia and anti-Kyiv separatists as "an answer from Ukraine society to what Russia is doing to Ukraine."

RUH8 pledges that "RUH8 will be disbanded after the war is over.... It was created for this war."

But with Ukraine peace talks stalled and Russia continuing to press its hand against the West, the war grinds on with no end in sight.

And so does the Cyber Alliance.

RUH8 warns of more leaks to come. "We have published only a small part of the Surkov e-mails," he says, adding the e-mails obtained by the Cyber Alliance include information from "not only Surkov, but others in Putin's administration."

To prove it, RUH8 pulls out from his black bag a black laptop with what he claims is 100 gigabytes of hacked data. He shows off a list of dozens of e-mail accounts, many of them ending in the official Russian government suffix "gov.ru." They included instantly recognizable names of senior Putin advisers.

In the purported inbox of one Putin adviser is an October 22 e-mail that appears to be from a Russian adviser to Ukraine's separatist leaders. Laced with profanity and words in all capitals, the message includes quips about a Ukrainian in the separatist government that he counsels who has "joined the party of traitors of the high council" of Donetsk separatists after declining an offer from Kyiv to help with humanitarian assistance.